From 62ac74eb5864c4e392ba7f17172ddac7f2ba69a2 Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Thu, 13 Apr 2023 18:59:03 +0200 Subject: [PATCH] sip: add tests for sip over tcp --- tests/sip-pattern-matching/Makefile | 3 + tests/sip-pattern-matching/README.md | 7 + .../sip-pattern-matching.syn | 21 +++ tests/sip-pattern-matching/sip.pcap | Bin 0 -> 1099 bytes tests/sip-pattern-matching/test.yaml | 19 +++ tests/sip-tcp-body-frames/README.md | 1 + tests/sip-tcp-body-frames/test.rules | 11 ++ tests/sip-tcp-body-frames/test.yaml | 62 ++++++++ tests/sip-tcp-method/README.md | 1 + tests/sip-tcp-method/sip-tcp.pcap | Bin 0 -> 2018 bytes tests/sip-tcp-method/sip_client.c | 137 +++++++++++++++++ tests/sip-tcp-method/sip_server.c | 140 ++++++++++++++++++ tests/sip-tcp-method/test.rules | 1 + tests/sip-tcp-method/test.yaml | 28 ++++ tests/sip-tcp-pattern-matching/Makefile | 3 + tests/sip-tcp-pattern-matching/README.md | 7 + .../sip-tcp-pattern-matching.syn | 21 +++ tests/sip-tcp-pattern-matching/sip.pcap | Bin 0 -> 1473 bytes tests/sip-tcp-pattern-matching/test.yaml | 34 +++++ tests/sip-tcp-protocol/README.md | 1 + tests/sip-tcp-protocol/test.rules | 2 + tests/sip-tcp-protocol/test.yaml | 40 +++++ tests/sip-tcp-request-line/README.md | 1 + tests/sip-tcp-request-line/test.rules | 1 + tests/sip-tcp-request-line/test.yaml | 28 ++++ tests/sip-tcp-response-line/README.md | 1 + tests/sip-tcp-response-line/test.rules | 1 + tests/sip-tcp-response-line/test.yaml | 28 ++++ tests/sip-tcp-stat-code/README.md | 1 + tests/sip-tcp-stat-code/test.rules | 1 + tests/sip-tcp-stat-code/test.yaml | 28 ++++ tests/sip-tcp-stat-msg/README.md | 1 + tests/sip-tcp-stat-msg/test.rules | 1 + tests/sip-tcp-stat-msg/test.yaml | 28 ++++ tests/sip-tcp-uri/README.md | 1 + tests/sip-tcp-uri/test.rules | 1 + tests/sip-tcp-uri/test.yaml | 28 ++++ 37 files changed, 689 insertions(+) create mode 100644 tests/sip-pattern-matching/Makefile create mode 100644 tests/sip-pattern-matching/README.md create mode 100644 tests/sip-pattern-matching/sip-pattern-matching.syn create mode 100644 tests/sip-pattern-matching/sip.pcap create mode 100644 tests/sip-pattern-matching/test.yaml create mode 100644 tests/sip-tcp-body-frames/README.md create mode 100644 tests/sip-tcp-body-frames/test.rules create mode 100644 tests/sip-tcp-body-frames/test.yaml create mode 100644 tests/sip-tcp-method/README.md create mode 100755 tests/sip-tcp-method/sip-tcp.pcap create mode 100644 tests/sip-tcp-method/sip_client.c create mode 100644 tests/sip-tcp-method/sip_server.c create mode 100644 tests/sip-tcp-method/test.rules create mode 100644 tests/sip-tcp-method/test.yaml create mode 100644 tests/sip-tcp-pattern-matching/Makefile create mode 100644 tests/sip-tcp-pattern-matching/README.md create mode 100644 tests/sip-tcp-pattern-matching/sip-tcp-pattern-matching.syn create mode 100644 tests/sip-tcp-pattern-matching/sip.pcap create mode 100644 tests/sip-tcp-pattern-matching/test.yaml create mode 100644 tests/sip-tcp-protocol/README.md create mode 100644 tests/sip-tcp-protocol/test.rules create mode 100644 tests/sip-tcp-protocol/test.yaml create mode 100644 tests/sip-tcp-request-line/README.md create mode 100644 tests/sip-tcp-request-line/test.rules create mode 100755 tests/sip-tcp-request-line/test.yaml create mode 100644 tests/sip-tcp-response-line/README.md create mode 100644 tests/sip-tcp-response-line/test.rules create mode 100755 tests/sip-tcp-response-line/test.yaml create mode 100644 tests/sip-tcp-stat-code/README.md create mode 100644 tests/sip-tcp-stat-code/test.rules create mode 100644 tests/sip-tcp-stat-code/test.yaml create mode 100644 tests/sip-tcp-stat-msg/README.md create mode 100644 tests/sip-tcp-stat-msg/test.rules create mode 100644 tests/sip-tcp-stat-msg/test.yaml create mode 100644 tests/sip-tcp-uri/README.md create mode 100644 tests/sip-tcp-uri/test.rules create mode 100755 tests/sip-tcp-uri/test.yaml diff --git a/tests/sip-pattern-matching/Makefile b/tests/sip-pattern-matching/Makefile new file mode 100644 index 000000000..09b5e3c55 --- /dev/null +++ b/tests/sip-pattern-matching/Makefile @@ -0,0 +1,3 @@ +sip.pcap: sip-pattern-matching.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/sip-pattern-matching/README.md b/tests/sip-pattern-matching/README.md new file mode 100644 index 000000000..f78c05298 --- /dev/null +++ b/tests/sip-pattern-matching/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that SIP/TCP is detected with pattern matching. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/sip-pattern-matching/sip-pattern-matching.syn b/tests/sip-pattern-matching/sip-pattern-matching.syn new file mode 100644 index 000000000..0ed0082eb --- /dev/null +++ b/tests/sip-pattern-matching/sip-pattern-matching.syn @@ -0,0 +1,21 @@ +flow default udp 1.1.1.1:5555 > 2.2.2.2:5062; +default > (content:"REGISTER sip:sip.cybercity.dk SIP/2.0\x0d +Via: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp151248737-46ea715e192.168.1.2;rport\x0d +From: ;tag=903df0a\x0d +To: \x0d +Call-ID: 578222729-4665d775@578222732-4665d772\x0d +Contact: ;expires=1200;q=0.500\x0d +Expires: 1200\x0d +CSeq: 68 REGISTER\x0d +Content-Length: 0\x0d +Max-Forwards: 70\x0d +User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d\x0a\x0d\x0a";); +default < (content:"SIP/2.0 401 Unauthorized\x0d +Call-ID: 578222729-4665d775@578222732-4665d772\x0d +CSeq: 68 REGISTER\x0d +From: ;tag=903df0a\x0d +To: ;tag=00-04092-1701af62-120c67172\x0d +Via: SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060;branch=z9hG4bKnp151248737-46ea715e192.168.1.2\x0d +WWW-Authenticate: Digest realm=\"sip.cybercity.dk\",nonce=\"1701af566be182070084c6f740706bb\",opaque=\"1701a1351f70795\",stale=false,algorithm=MD5\x0d +Content-Length: 0\x0d\x0a\x0d\x0a";); + diff --git a/tests/sip-pattern-matching/sip.pcap b/tests/sip-pattern-matching/sip.pcap new file mode 100644 index 0000000000000000000000000000000000000000..8dc982a9d7666a25077b807bc19758ed91a215bb GIT binary patch literal 1099 zc-pm6&1=*^6wfYuD1jWLR0N?61#e9{Gx?Y#YswaPTNbS>-F_VG!AUZ^8_Xu#N&1N( z9{ev<@YaI|v44Py(7(W&2fcd`R8Rz|lWtc^6-B`ZkC}P%d-LAB-|yASr;o}~MH<=B zktCJG`gotRdmk#&H*qNZ?Zcakvv*&7eo`tQjY$ou^uB=A&halLVP#@=DWQl2aFJWu;BxLlOoN+V=LORt@+KU>Xd*K?pA zb|6*c<@ApUihPB}vD&P=z$7-tm|#bAVVNNzX6+=T<536;e46Am$X#&e=~FGcCbVER zjuPfM0SR&FhqibKB0ZR`vYkQ1S>_=OVRgfUnhC|c8pEgyim)isW*aWBY%m)4ur5n- z^%_gMdCvs`wMci=`IK){9*RsNA}bl=>ReagTyUN7w4k8X2F(^|_0oiaRmQU@O@LrU zGm+?5krlZR!~VyLbiOPd`|St!zuvg>Z1Upvg_%MO<*^enyeWiG2x9zj;-K{D(z_Fa zfdLU%N$6(YOL?@%!he|R&maCjgdZnBs6qoeSVaUP+Ofn2!@we_Xyv!kK6Um7>r>N7ngmQ- z4ZAlj%V)^OkU(e~fz=^~*jm0Xkm-PKZ2o{E-9#M%iDQbZET=K^IyBDMG>yB0xV+c* M7VG9OrKZT=0Rj;=@c;k- literal 0 Hc-jL100001 diff --git a/tests/sip-pattern-matching/test.yaml b/tests/sip-pattern-matching/test.yaml new file mode 100644 index 000000000..2d5874db1 --- /dev/null +++ b/tests/sip-pattern-matching/test.yaml @@ -0,0 +1,19 @@ +checks: + - filter: + min-version: 8 + count: 1 + match: + event_type: sip + sip.method: "REGISTER" + sip.uri: "sip:sip.cybercity.dk" + sip.version: "SIP/2.0" + sip.request_line: "REGISTER sip:sip.cybercity.dk SIP/2.0" + - filter: + min-version: 8 + count: 1 + match: + event_type: sip + sip.version: "SIP/2.0" + sip.code: "401" + sip.reason: "Unauthorized" + sip.response_line: "SIP/2.0 401 Unauthorized" diff --git a/tests/sip-tcp-body-frames/README.md b/tests/sip-tcp-body-frames/README.md new file mode 100644 index 000000000..21918c677 --- /dev/null +++ b/tests/sip-tcp-body-frames/README.md @@ -0,0 +1 @@ +Match on SIP frames. diff --git a/tests/sip-tcp-body-frames/test.rules b/tests/sip-tcp-body-frames/test.rules new file mode 100644 index 000000000..2767052c1 --- /dev/null +++ b/tests/sip-tcp-body-frames/test.rules @@ -0,0 +1,11 @@ +alert sip any any -> any any (flow:to_server; frame:pdu; content:"REGISTER"; startswith; sid:2;) +alert sip any any -> any any (flow:to_client; frame:pdu; content:"SIP/2.0 200 OK|0D 0A|"; startswith; sid:11;) + +alert sip any any -> any any (flow:to_server; frame:request.line; content:"REGISTER"; startswith; sid:21;) +alert sip any any -> any any (flow:to_server; frame:request.line; content:"SIP/2.0|0D 0A|"; endswith; sid:22;) + +alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; sid:31;) +alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; content:"0|0d 0a|"; endswith; sid:32;) + +alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; sid:41;) +alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; content:"Content-Length: 0|0d 0a|"; endswith; sid:42;) diff --git a/tests/sip-tcp-body-frames/test.yaml b/tests/sip-tcp-body-frames/test.yaml new file mode 100644 index 000000000..aeca4e9db --- /dev/null +++ b/tests/sip-tcp-body-frames/test.yaml @@ -0,0 +1,62 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ../sip-tcp-method/sip-tcp.pcap + +checks: + - filter: + min-version: 8 + count: 2 + match: + proto: TCP + event_type: sip + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 22 + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 31 + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 32 + frame.type: "request.headers" + frame.complete: true + frame.length: 532 + frame.direction: toserver + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 41 + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 42 + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.tx.sip_tcp: 2 + stats.app_layer.flow.sip_tcp: 1 diff --git a/tests/sip-tcp-method/README.md b/tests/sip-tcp-method/README.md new file mode 100644 index 000000000..83094d8f3 --- /dev/null +++ b/tests/sip-tcp-method/README.md @@ -0,0 +1 @@ +Match on SIP over TCP method field. diff --git a/tests/sip-tcp-method/sip-tcp.pcap b/tests/sip-tcp-method/sip-tcp.pcap new file mode 100755 index 0000000000000000000000000000000000000000..4820afad5fdcd9d53930cc494c7a15ee68b3ed6b GIT binary patch literal 2018 zc-qC4&x_M&7{}kn!5?Lcj^n|b@7_jCGD(`INjhDot?5ulr*+Z_<3-Zs%}kv1$EMkt zx*)p#1LDE6dfe+CmPHhnodFNB%sL3(1Q7(0WzRaleA2Nvt+5~|2Hw)XKR(a%KF{~t zJYD(y9)*U`$7cvd;Pd(VJ45*Q5IO_j&!FDtAkq+;SbIB(CilC4T|+1mj91j?>dTS) ze+N76QajJKIfSU8oo7ST!RYhk59fpV$i96C0`mERWP}3p#QiRLboCYGlwP-izH;~I z&f|V^FuLR#kh4I_hLOd!cb%Lc_2s+*^efkoP-uG$CL8Eijxp0*Qoo3>8p4m$W4)xQbL>ziRC%pQ}`4&2kO9 zvLMcjmz~Tq%fc3&{G?(Yce@aa1|9xmpk@wF1|4Q@^r`X6%aI5A^&^q3FwOh}#0?;9 zgc1K++w7=txK}d|^sZ*MU-S~ScGK|)bV=f%O&Qm1EUUOMbD>byXq?GS(>Rxz$!TY4 zoSlQ2nPRz+pQGWDd2N=)=QLfAyR4x=}bQ+H4i!|0NSv@yf$ZD}@rA0g@Gf(Q! z{EH2zNj&T=LE$+z&I%tQGTIWXLlR9$g+TXdyx6R{H1-X5aaTOB&YUInd4EC0kmzo4 z{~ui3OsBZNep=jz!%*DKu;Si)atJXL>WqFOb>eU~AfCD%N<1FfM8|rGAB=?sj>E<2 zZ{xPK7zaYiBPMZ{h?U-p{6drLYTmLW-nJ#4$eduwM5q!wVe_IS@WhUr0-G@T>UXiz zSN{)5kzMhpJKEQYw?sS@FB&z&ah(PpOR&JkV{KWwB#Gm$Q~$Yr^5g(H-gz?c{jk+> z=4!7q9}YXEH`eF8zJGlnal1oY2_=q%zj1C|jSjL*u49>Ny#jw@0X5cVnX3WuJ@FVA A-2eap literal 0 Hc-jL100001 diff --git a/tests/sip-tcp-method/sip_client.c b/tests/sip-tcp-method/sip_client.c new file mode 100644 index 000000000..7ff4dd441 --- /dev/null +++ b/tests/sip-tcp-method/sip_client.c @@ -0,0 +1,137 @@ +#include // inet_addr() +#include +#include +#include +#include +#include // bzero() +#include +#include // read(), write(), close() +#define MAX 1024 +#define PORT 5060 +#define SA struct sockaddr + +void func(int sockfd) +{ + char msg1[] = { + 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, + 0x20, 0x73, 0x69, 0x70, 0x3a, 0x31, 0x39, 0x32, + 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, + 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, 0x6e, + 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, 0x43, + 0x50, 0x20, 0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, + 0x30, 0x0d, 0x0a, 0x56, 0x69, 0x61, 0x3a, 0x20, + 0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, 0x30, 0x2f, + 0x54, 0x43, 0x50, 0x20, 0x31, 0x39, 0x32, 0x2e, + 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, + 0x3a, 0x34, 0x38, 0x33, 0x37, 0x36, 0x3b, 0x62, + 0x72, 0x61, 0x6e, 0x63, 0x68, 0x3d, 0x7a, 0x39, + 0x68, 0x47, 0x34, 0x62, 0x4b, 0x2d, 0x35, 0x32, + 0x34, 0x32, 0x38, 0x37, 0x2d, 0x31, 0x2d, 0x2d, + 0x2d, 0x64, 0x63, 0x66, 0x34, 0x65, 0x64, 0x64, + 0x66, 0x61, 0x66, 0x39, 0x66, 0x31, 0x32, 0x33, + 0x39, 0x3b, 0x72, 0x70, 0x6f, 0x72, 0x74, 0x0d, + 0x0a, 0x4d, 0x61, 0x78, 0x2d, 0x46, 0x6f, 0x72, + 0x77, 0x61, 0x72, 0x64, 0x73, 0x3a, 0x20, 0x37, + 0x30, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x61, + 0x63, 0x74, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, + 0x3a, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40, + 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, + 0x34, 0x33, 0x2e, 0x31, 0x3a, 0x34, 0x38, 0x33, + 0x37, 0x36, 0x3b, 0x72, 0x69, 0x6e, 0x73, 0x74, + 0x61, 0x6e, 0x63, 0x65, 0x3d, 0x62, 0x65, 0x32, + 0x65, 0x63, 0x39, 0x38, 0x64, 0x30, 0x66, 0x34, + 0x33, 0x65, 0x37, 0x30, 0x63, 0x3b, 0x74, 0x72, + 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, + 0x74, 0x63, 0x70, 0x3e, 0x0d, 0x0a, 0x54, 0x6f, + 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, 0x39, + 0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31, 0x39, + 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, + 0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, + 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, + 0x43, 0x50, 0x3e, 0x0d, 0x0a, 0x46, 0x72, 0x6f, + 0x6d, 0x3a, 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, + 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x40, 0x31, + 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, + 0x33, 0x2e, 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, + 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, + 0x54, 0x43, 0x50, 0x3e, 0x3b, 0x74, 0x61, 0x67, + 0x3d, 0x39, 0x62, 0x39, 0x39, 0x31, 0x36, 0x37, + 0x66, 0x0d, 0x0a, 0x43, 0x61, 0x6c, 0x6c, 0x2d, + 0x49, 0x44, 0x3a, 0x20, 0x38, 0x4f, 0x6d, 0x74, + 0x59, 0x55, 0x55, 0x38, 0x45, 0x64, 0x6c, 0x61, + 0x66, 0x55, 0x68, 0x34, 0x67, 0x34, 0x6a, 0x69, + 0x41, 0x77, 0x2e, 0x2e, 0x0d, 0x0a, 0x43, 0x53, + 0x65, 0x71, 0x3a, 0x20, 0x31, 0x20, 0x52, 0x45, + 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x0d, 0x0a + }; + + char msg2[] = { + 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3a, + 0x20, 0x36, 0x30, 0x30, 0x0d, 0x0a, 0x41, 0x6c, + 0x6c, 0x6f, 0x77, 0x3a, 0x20, 0x49, 0x4e, 0x56, + 0x49, 0x54, 0x45, 0x2c, 0x20, 0x41, 0x43, 0x4b, + 0x2c, 0x20, 0x43, 0x41, 0x4e, 0x43, 0x45, 0x4c, + 0x2c, 0x20, 0x42, 0x59, 0x45, 0x2c, 0x20, 0x4e, + 0x4f, 0x54, 0x49, 0x46, 0x59, 0x2c, 0x20, 0x52, + 0x45, 0x46, 0x45, 0x52, 0x2c, 0x20, 0x4d, 0x45, + 0x53, 0x53, 0x41, 0x47, 0x45, 0x2c, 0x20, 0x4f, + 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x2c, 0x20, + 0x49, 0x4e, 0x46, 0x4f, 0x2c, 0x20, 0x53, 0x55, + 0x42, 0x53, 0x43, 0x52, 0x49, 0x42, 0x45, 0x0d, + 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, + 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x5a, 0x6f, 0x69, + 0x70, 0x65, 0x72, 0x20, 0x72, 0x76, 0x32, 0x2e, + 0x31, 0x30, 0x2e, 0x33, 0x2e, 0x32, 0x0d, 0x0a, + 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x2d, 0x45, 0x76, + 0x65, 0x6e, 0x74, 0x73, 0x3a, 0x20, 0x70, 0x72, + 0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x2c, 0x20, + 0x6b, 0x70, 0x6d, 0x6c, 0x2c, 0x20, 0x74, 0x61, + 0x6c, 0x6b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, + 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, + 0x74, 0x68, 0x3a, 0x20, 0x30, 0x0d, 0x0a, 0x0d, + 0x0a + }; + + char buff[MAX]; + + write(sockfd, msg1, sizeof(msg1)); + write(sockfd, msg2, sizeof(msg2)); + bzero(buff, sizeof(buff)); + read(sockfd, buff, sizeof(buff)); + +} + +int main() +{ + int sockfd, connfd; + struct sockaddr_in servaddr, cli; + + // socket create and verification + sockfd = socket(AF_INET, SOCK_STREAM, 0); + if (sockfd == -1) { + printf("socket creation failed...\n"); + exit(0); + } + else + printf("Socket successfully created..\n"); + bzero(&servaddr, sizeof(servaddr)); + + // assign IP, PORT + servaddr.sin_family = AF_INET; + servaddr.sin_addr.s_addr = inet_addr("127.0.0.1"); + servaddr.sin_port = htons(PORT); + + // connect the client socket to server socket + if (connect(sockfd, (SA*)&servaddr, sizeof(servaddr)) + != 0) { + printf("connection with the server failed...\n"); + exit(0); + } + else + printf("connected to the server..\n"); + + func(sockfd); + + close(sockfd); +} + diff --git a/tests/sip-tcp-method/sip_server.c b/tests/sip-tcp-method/sip_server.c new file mode 100644 index 000000000..f8bd4f57a --- /dev/null +++ b/tests/sip-tcp-method/sip_server.c @@ -0,0 +1,140 @@ +#include +#include +#include +#include +#include +#include +#include +#include // read(), write(), close() +#define MAX 1024 +#define PORT 5060 +#define SA struct sockaddr + +void func(int connfd) +{ + char msg[] = { + 0x53, 0x49, 0x50, 0x2f, 0x32, 0x2e, 0x30, 0x20, + 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, 0x0a, + 0x56, 0x69, 0x61, 0x3a, 0x20, 0x53, 0x49, 0x50, + 0x2f, 0x32, 0x2e, 0x30, 0x2f, 0x54, 0x43, 0x50, + 0x20, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, + 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x3a, 0x34, 0x38, + 0x33, 0x37, 0x36, 0x3b, 0x62, 0x72, 0x61, 0x6e, + 0x63, 0x68, 0x3d, 0x7a, 0x39, 0x68, 0x47, 0x34, + 0x62, 0x4b, 0x2d, 0x35, 0x32, 0x34, 0x32, 0x38, + 0x37, 0x2d, 0x31, 0x2d, 0x2d, 0x2d, 0x64, 0x63, + 0x66, 0x34, 0x65, 0x64, 0x64, 0x66, 0x61, 0x66, + 0x39, 0x66, 0x31, 0x32, 0x33, 0x39, 0x3b, 0x72, + 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x34, 0x33, 0x31, + 0x36, 0x38, 0x3b, 0x72, 0x65, 0x63, 0x65, 0x69, + 0x76, 0x65, 0x64, 0x3d, 0x31, 0x39, 0x32, 0x2e, + 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, + 0x0d, 0x0a, 0x54, 0x6f, 0x3a, 0x20, 0x3c, 0x73, + 0x69, 0x70, 0x3a, 0x39, 0x38, 0x37, 0x36, 0x35, + 0x34, 0x40, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, + 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x30, 0x30, + 0x3b, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, + 0x72, 0x74, 0x3d, 0x54, 0x43, 0x50, 0x3e, 0x3b, + 0x74, 0x61, 0x67, 0x3d, 0x39, 0x64, 0x64, 0x36, + 0x31, 0x66, 0x66, 0x36, 0x31, 0x65, 0x38, 0x30, + 0x32, 0x64, 0x38, 0x65, 0x32, 0x62, 0x65, 0x66, + 0x35, 0x66, 0x31, 0x34, 0x36, 0x32, 0x31, 0x65, + 0x66, 0x33, 0x63, 0x32, 0x2e, 0x35, 0x63, 0x31, + 0x62, 0x0d, 0x0a, 0x46, 0x72, 0x6f, 0x6d, 0x3a, + 0x20, 0x3c, 0x73, 0x69, 0x70, 0x3a, 0x39, 0x38, + 0x37, 0x36, 0x35, 0x34, 0x40, 0x31, 0x39, 0x32, + 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, + 0x31, 0x30, 0x30, 0x3b, 0x74, 0x72, 0x61, 0x6e, + 0x73, 0x70, 0x6f, 0x72, 0x74, 0x3d, 0x54, 0x43, + 0x50, 0x3e, 0x3b, 0x74, 0x61, 0x67, 0x3d, 0x39, + 0x62, 0x39, 0x39, 0x31, 0x36, 0x37, 0x66, 0x0d, + 0x0a, 0x43, 0x61, 0x6c, 0x6c, 0x2d, 0x49, 0x44, + 0x3a, 0x20, 0x38, 0x4f, 0x6d, 0x74, 0x59, 0x55, + 0x55, 0x38, 0x45, 0x64, 0x6c, 0x61, 0x66, 0x55, + 0x68, 0x34, 0x67, 0x34, 0x6a, 0x69, 0x41, 0x77, + 0x2e, 0x2e, 0x0d, 0x0a, 0x43, 0x53, 0x65, 0x71, + 0x3a, 0x20, 0x31, 0x20, 0x52, 0x45, 0x47, 0x49, + 0x53, 0x54, 0x45, 0x52, 0x0d, 0x0a, 0x43, 0x6f, + 0x6e, 0x74, 0x61, 0x63, 0x74, 0x3a, 0x20, 0x3c, + 0x73, 0x69, 0x70, 0x3a, 0x39, 0x38, 0x37, 0x36, + 0x35, 0x34, 0x40, 0x31, 0x39, 0x32, 0x2e, 0x31, + 0x36, 0x38, 0x2e, 0x34, 0x33, 0x2e, 0x31, 0x3a, + 0x34, 0x38, 0x33, 0x37, 0x36, 0x3b, 0x72, 0x69, + 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x3d, + 0x62, 0x65, 0x32, 0x65, 0x63, 0x39, 0x38, 0x64, + 0x30, 0x66, 0x34, 0x33, 0x65, 0x37, 0x30, 0x63, + 0x3b, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, + 0x72, 0x74, 0x3d, 0x74, 0x63, 0x70, 0x3e, 0x3b, + 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3d, + 0x36, 0x30, 0x30, 0x0d, 0x0a, 0x53, 0x65, 0x72, + 0x76, 0x65, 0x72, 0x3a, 0x20, 0x6b, 0x61, 0x6d, + 0x61, 0x69, 0x6c, 0x69, 0x6f, 0x20, 0x28, 0x35, + 0x2e, 0x32, 0x2e, 0x31, 0x20, 0x28, 0x78, 0x38, + 0x36, 0x5f, 0x36, 0x34, 0x2f, 0x6c, 0x69, 0x6e, + 0x75, 0x78, 0x29, 0x29, 0x0d, 0x0a, 0x43, 0x6f, + 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, + 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x30, 0x0d, + 0x0a, 0x0d, 0x0a + }; + + char buff[MAX]; + + bzero(buff, sizeof(buff)); + read(connfd, buff, sizeof(buff)); + read(connfd, buff, sizeof(buff)); + write(connfd, msg, sizeof(msg)); +} + +int main() +{ + int sockfd, connfd, len; + struct sockaddr_in servaddr, cli; + + sockfd = socket(AF_INET, SOCK_STREAM, 0); + if (sockfd == -1) { + printf("socket creation failed...\n"); + exit(0); + } + else + printf("Socket successfully created..\n"); + bzero(&servaddr, sizeof(servaddr)); + + // assign IP, PORT + servaddr.sin_family = AF_INET; + servaddr.sin_addr.s_addr = htonl(INADDR_ANY); + servaddr.sin_port = htons(PORT); + + // Binding newly created socket to given IP and verification + if ((bind(sockfd, (SA*)&servaddr, sizeof(servaddr))) != 0) { + printf("socket bind failed...\n"); + exit(0); + } + else + printf("Socket successfully binded..\n"); + + // Now server is ready to listen and verification + if ((listen(sockfd, 5)) != 0) { + printf("Listen failed...\n"); + exit(0); + } + else + printf("Server listening..\n"); + len = sizeof(cli); + + // Accept the data packet from client and verification + connfd = accept(sockfd, (SA*)&cli, &len); + if (connfd < 0) { + printf("server accept failed...\n"); + exit(0); + } + else + printf("server accept the client...\n"); + + // Function for chatting between client and server + //func(connfd); + func(connfd); + + // After chatting close the socket + close(sockfd); +} + diff --git a/tests/sip-tcp-method/test.rules b/tests/sip-tcp-method/test.rules new file mode 100644 index 000000000..1fd849f78 --- /dev/null +++ b/tests/sip-tcp-method/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_server; sip.method; content:"REGISTER"; sid:1;) diff --git a/tests/sip-tcp-method/test.yaml b/tests/sip-tcp-method/test.yaml new file mode 100644 index 000000000..3b21824d5 --- /dev/null +++ b/tests/sip-tcp-method/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 6 + +args: + - -k none + - --set app-layer.protocols.sip.enabled=yes + +pcap: sip-tcp.pcap + +checks: + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + - filter: + min-version: 8 + count: 2 + match: + proto: TCP + event_type: sip + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.tx.sip_tcp: 2 + stats.app_layer.flow.sip_tcp: 1 diff --git a/tests/sip-tcp-pattern-matching/Makefile b/tests/sip-tcp-pattern-matching/Makefile new file mode 100644 index 000000000..4cad1e9f4 --- /dev/null +++ b/tests/sip-tcp-pattern-matching/Makefile @@ -0,0 +1,3 @@ +sip.pcap: sip-tcp-pattern-matching.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/sip-tcp-pattern-matching/README.md b/tests/sip-tcp-pattern-matching/README.md new file mode 100644 index 000000000..f78c05298 --- /dev/null +++ b/tests/sip-tcp-pattern-matching/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that SIP/TCP is detected with pattern matching. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/sip-tcp-pattern-matching/sip-tcp-pattern-matching.syn b/tests/sip-tcp-pattern-matching/sip-tcp-pattern-matching.syn new file mode 100644 index 000000000..f3df6d5f0 --- /dev/null +++ b/tests/sip-tcp-pattern-matching/sip-tcp-pattern-matching.syn @@ -0,0 +1,21 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:5062 (tcp.initialize; mss:9000;); +default > (content:"REGISTER sip:sip.cybercity.dk SIP/2.0\x0d +Via: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp151248737-46ea715e192.168.1.2;rport\x0d +From: ;tag=903df0a\x0d +To: \x0d +Call-ID: 578222729-4665d775@578222732-4665d772\x0d +Contact: ;expires=1200;q=0.500\x0d +Expires: 1200\x0d +CSeq: 68 REGISTER\x0d +Content-Length: 0\x0d +Max-Forwards: 70\x0d +User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d\x0a\x0d\x0a";); +default < (content:"SIP/2.0 401 Unauthorized\x0d +Call-ID: 578222729-4665d775@578222732-4665d772\x0d +CSeq: 68 REGISTER\x0d +From: ;tag=903df0a\x0d +To: ;tag=00-04092-1701af62-120c67172\x0d +Via: SIP/2.0/UDP 192.168.1.2;received=80.230.219.70;rport=5060;branch=z9hG4bKnp151248737-46ea715e192.168.1.2\x0d +WWW-Authenticate: Digest realm=\"sip.cybercity.dk\",nonce=\"1701af566be182070084c6f740706bb\",opaque=\"1701a1351f70795\",stale=false,algorithm=MD5\x0d +Content-Length: 0\x0d\x0a\x0d\x0a";); + diff --git a/tests/sip-tcp-pattern-matching/sip.pcap b/tests/sip-tcp-pattern-matching/sip.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cd7d18cea6d5208ef1b93e402f2df2eed337b898 GIT binary patch literal 1473 zc-pm;&1)1%7{)8(;%du?YgE>gMbvc>r>&}){+w-zno)*br8Oo&8PuBYnwiE)_oSxH z8V@;S{{b(0@he^y6@(?Sc-xDjprFg52QR^k-aUDUUvH-qqcKDjw&10!-+Jn)x2t~D zk8e+0$)NAhYQ+zRE@ac?IdvPhxz{qkG@KY+M_wZzwH8C4_!XWZg^S`yJ3S z(AM7UybD4lad9&k9Y2z~j9!>?`O}`LTzz

eiccqo2AY4vACe-L*GC=tHbBc)#cgCM3 zE*(>;i+r`9%a0iS^#ei&OMA<`he`)=J80Pusy9*<(hK4d)jxrI%kFljlC07naC`P` zdtZ->sl`;Pn<`aVu_}4!HJsB{V{f7QYuKV1Wd+m78@YlmxIs1Xv0Anw8E2I}G8(k; zFUhjQQ9wNUn4xL9E!d;A*<}>&1SCLV`I%Q8Dj>spbA~{4MXdm zN#)sWih(`~WA4Q^o@f10$+kvxQfvmHa4gU8nP2ryFd{VX?I?;~^Q?iZIUoCc=8$ura9i@l&}yk^G%YA7&bm>1zv_+gS&l zjrR)~B}d@);yl#}2+?v>UV&&Kccgv!X z3b-nh30_A#Q@r@Ng1P{$B;@+c!xvAsj#SurKXJ*dnZavvK^MU5?=ggCkii8)abL(! z#*Ih@r-lCw=k)m&{yzv!Paq^m3dCYLY7ok6I&>KEbb}_PEP5HF@I){ye8(gz%R^90 zHAqUmGY!&LU6-sfFffqY2^$9x1RjrtjeCN+XvbIz-W+r)UGu-7(zPv&LQlX@TD_+0 zRY6Tg3_{F;r`L=EboFW#lu?Tho%|rBd5zW#VptjswPW5CPK`I)VjFMP;o#!NptG+> nTM*uqyUkbTxEsB8LpwXXX?P6FGmHJ!Iwldy97wpUY(eNfo5+Bg literal 0 Hc-jL100001 diff --git a/tests/sip-tcp-pattern-matching/test.yaml b/tests/sip-tcp-pattern-matching/test.yaml new file mode 100644 index 000000000..2a42e507e --- /dev/null +++ b/tests/sip-tcp-pattern-matching/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 6 + +args: + - -k none + +checks: + - filter: + min-version: 8 + count: 1 + match: + proto: TCP + event_type: sip + sip.method: "REGISTER" + sip.uri: "sip:sip.cybercity.dk" + sip.version: "SIP/2.0" + sip.request_line: "REGISTER sip:sip.cybercity.dk SIP/2.0" + - filter: + min-version: 8 + count: 1 + match: + proto: TCP + event_type: sip + sip.version: "SIP/2.0" + sip.code: "401" + sip.reason: "Unauthorized" + sip.response_line: "SIP/2.0 401 Unauthorized" + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.tx.sip_tcp: 2 + stats.app_layer.flow.sip_tcp: 1 diff --git a/tests/sip-tcp-protocol/README.md b/tests/sip-tcp-protocol/README.md new file mode 100644 index 000000000..2d175aa3e --- /dev/null +++ b/tests/sip-tcp-protocol/README.md @@ -0,0 +1 @@ +Match on SIP version field. diff --git a/tests/sip-tcp-protocol/test.rules b/tests/sip-tcp-protocol/test.rules new file mode 100644 index 000000000..b68e37811 --- /dev/null +++ b/tests/sip-tcp-protocol/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.protocol; content:"SIP/2.0"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.protocol; content:"SIP/2.0"; sid:2;) diff --git a/tests/sip-tcp-protocol/test.yaml b/tests/sip-tcp-protocol/test.yaml new file mode 100644 index 000000000..3bdbe3f9b --- /dev/null +++ b/tests/sip-tcp-protocol/test.yaml @@ -0,0 +1,40 @@ +requires: + min-version: 6 + +args: + - -k none + - --set app-layer.protocols.sip.enabled=yes + +pcap: ../sip-tcp-method/sip-tcp.pcap + +checks: + - filter: + min-version: 8 + count: 2 + match: + event_type: alert + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + min-version: 8 + count: 2 + match: + proto: TCP + event_type: sip + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.tx.sip_tcp: 2 + stats.app_layer.flow.sip_tcp: 1 diff --git a/tests/sip-tcp-request-line/README.md b/tests/sip-tcp-request-line/README.md new file mode 100644 index 000000000..7881b9897 --- /dev/null +++ b/tests/sip-tcp-request-line/README.md @@ -0,0 +1 @@ +Match on the whole SIP request line. diff --git a/tests/sip-tcp-request-line/test.rules b/tests/sip-tcp-request-line/test.rules new file mode 100644 index 000000000..812e51ab7 --- /dev/null +++ b/tests/sip-tcp-request-line/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_server; sip.request_line; content:"REGISTER sip:192.168.43.100\;transport=TCP SIP/2.0"; sid:1;) diff --git a/tests/sip-tcp-request-line/test.yaml b/tests/sip-tcp-request-line/test.yaml new file mode 100755 index 000000000..b87dd3275 --- /dev/null +++ b/tests/sip-tcp-request-line/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 6 + +args: + - -k none + - --set app-layer.protocols.sip.enabled=yes + +pcap: ../sip-tcp-method/sip-tcp.pcap + +checks: + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + - filter: + min-version: 8 + count: 2 + match: + proto: TCP + event_type: sip + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.tx.sip_tcp: 2 + stats.app_layer.flow.sip_tcp: 1 diff --git a/tests/sip-tcp-response-line/README.md b/tests/sip-tcp-response-line/README.md new file mode 100644 index 000000000..136ca58ae --- /dev/null +++ b/tests/sip-tcp-response-line/README.md @@ -0,0 +1 @@ +Match on the whole SIP response line. diff --git a/tests/sip-tcp-response-line/test.rules b/tests/sip-tcp-response-line/test.rules new file mode 100644 index 000000000..01dfd77ad --- /dev/null +++ b/tests/sip-tcp-response-line/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_client; sip.response_line; content:"SIP/2.0 200 OK"; sid:1;) diff --git a/tests/sip-tcp-response-line/test.yaml b/tests/sip-tcp-response-line/test.yaml new file mode 100755 index 000000000..b87dd3275 --- /dev/null +++ b/tests/sip-tcp-response-line/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 6 + +args: + - -k none + - --set app-layer.protocols.sip.enabled=yes + +pcap: ../sip-tcp-method/sip-tcp.pcap + +checks: + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + - filter: + min-version: 8 + count: 2 + match: + proto: TCP + event_type: sip + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.tx.sip_tcp: 2 + stats.app_layer.flow.sip_tcp: 1 diff --git a/tests/sip-tcp-stat-code/README.md b/tests/sip-tcp-stat-code/README.md new file mode 100644 index 000000000..e96cf40e9 --- /dev/null +++ b/tests/sip-tcp-stat-code/README.md @@ -0,0 +1 @@ +Match on SIP stat code field. diff --git a/tests/sip-tcp-stat-code/test.rules b/tests/sip-tcp-stat-code/test.rules new file mode 100644 index 000000000..099c902e4 --- /dev/null +++ b/tests/sip-tcp-stat-code/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_client; sip.stat_code; content:"200"; sid:1;) diff --git a/tests/sip-tcp-stat-code/test.yaml b/tests/sip-tcp-stat-code/test.yaml new file mode 100644 index 000000000..b87dd3275 --- /dev/null +++ b/tests/sip-tcp-stat-code/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 6 + +args: + - -k none + - --set app-layer.protocols.sip.enabled=yes + +pcap: ../sip-tcp-method/sip-tcp.pcap + +checks: + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + - filter: + min-version: 8 + count: 2 + match: + proto: TCP + event_type: sip + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.tx.sip_tcp: 2 + stats.app_layer.flow.sip_tcp: 1 diff --git a/tests/sip-tcp-stat-msg/README.md b/tests/sip-tcp-stat-msg/README.md new file mode 100644 index 000000000..56ba3ba2c --- /dev/null +++ b/tests/sip-tcp-stat-msg/README.md @@ -0,0 +1 @@ +Match on SIP stat msg field. diff --git a/tests/sip-tcp-stat-msg/test.rules b/tests/sip-tcp-stat-msg/test.rules new file mode 100644 index 000000000..f86c9da06 --- /dev/null +++ b/tests/sip-tcp-stat-msg/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_client; sip.stat_msg; content:"OK"; sid:1;) diff --git a/tests/sip-tcp-stat-msg/test.yaml b/tests/sip-tcp-stat-msg/test.yaml new file mode 100644 index 000000000..b87dd3275 --- /dev/null +++ b/tests/sip-tcp-stat-msg/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 6 + +args: + - -k none + - --set app-layer.protocols.sip.enabled=yes + +pcap: ../sip-tcp-method/sip-tcp.pcap + +checks: + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + - filter: + min-version: 8 + count: 2 + match: + proto: TCP + event_type: sip + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.tx.sip_tcp: 2 + stats.app_layer.flow.sip_tcp: 1 diff --git a/tests/sip-tcp-uri/README.md b/tests/sip-tcp-uri/README.md new file mode 100644 index 000000000..c1c134a6d --- /dev/null +++ b/tests/sip-tcp-uri/README.md @@ -0,0 +1 @@ +Match on SIP URI field. diff --git a/tests/sip-tcp-uri/test.rules b/tests/sip-tcp-uri/test.rules new file mode 100644 index 000000000..ef6bfba9c --- /dev/null +++ b/tests/sip-tcp-uri/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_server; sip.uri; content:"sip:192.168.43.100\;transport=TCP"; sid:1;) diff --git a/tests/sip-tcp-uri/test.yaml b/tests/sip-tcp-uri/test.yaml new file mode 100755 index 000000000..a9802dbe9 --- /dev/null +++ b/tests/sip-tcp-uri/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 6 + +args: + - -k none + - --set app-layer.protocols.sip.enabled=yes + +pcap: ../sip-tcp-method/sip-tcp.pcap + +checks: + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + - filter: + min-version: 8 + count: 2 + match: + proto: TCP + event_type: sip + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.tx.sip_tcp: 2 + stats.app_layer.flow.sip_tcp: 1 -- 2.47.2